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Trends in Application 
Security 


Web app breaches continue 
E-commerce sites targeted 
API attacks 
Trends in AppSec testing 
Shifting left 
Coverage 


Automation 


Breaches 
Web Applications 


Miscellaneous Errors 
Privilege Misuse 


Cyber-Espionage 


Lost and Stolen Assets 


Point of Sale 


Source: 2019 Verizon DBIR 
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Web Application 
Scanning 


WAS Overview 


Detects application-layer vulnerabilities in 
web apps & APIs 


Browser engine 

Automated crawling 

Play back of Selenium scripts 

API to integrate with other systems 
Unique integration with Qualys WAF 


Mature product 
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2019 Highlights 


WAS Jenkins plugin v2 


Updated Oualys Browser Recorder 
TELST 

Full HTTP requests 

Enhanced crawling 

Postman Collections 

WAS Burp extension v2 

Editable QID severity 
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WAS Roadmap 


2019 


2020 


January 


Out-of-band vulnerability 
detections ("Periscope") 


Customized scheduled 
report email 


Feb-Mar * 

SSL/TLS detections 
OpenAPI v3 support 
Bamboo & TeamCity plugins 
Auth vault support 


OP ay 
Subdomain discovery 
Beta of new dashboard 


Subresource integrity (SRI) tests 
* Tentative 
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Monitoring for defacements 


Out-of-Band Vulnerabilities 


Some issues can't be detected by traditional reguest-response 


SSR 
SMTP header injection takes Vulnerable pplication Targetesapplication 
Blind XXE injection Crafted HTTP request 


Request (HTTP, FTP...) 


Detecting these vulnerabilities 
requires a different approach 


Attacker VulnerableApplication TargetedApplication 


Source: OWASP 
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Introducing Periscope 


Detection mechanism for out-of-band web app vulnerabilities 


Scanner sends a test; POST request body is: 
p1=joe&p2=smith&p3=http%3A%2F%2Fe528efddaa51 766cb86afb1 9f22de54b6da1093c.1454156_35626.2086421852.ssrf01. 
ssrf.qualysperiscope.com 


The web app tries to resolve this FQDN: 


e528efddaa51766cb86afb19f22de54b6da1093c.1454156_35626.2086421852.ssrf01.ssrf.qualysperiscope.com 
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ualys Periscope 


2. WAS receives 
i. Unigueld 

ii. WOOWS url 
iii. Domain name 


7.WAS 
reguests WS 


PORTAL 
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3. Reguest with OOB 


payload 


8. WS Response 


Consumer 
Z 


A 


WOODS 


Vulnerable app 
makes external 
request 


Consumer 


1 .Start of scan i 
¡ 6. 
i Reguest Reguest 
i Consumed Published 
KAFKA CLUSTER 


Building Secure APIs 


OWASP API Security 
Top 10 


Broken Object Level Authorization (BOLA) 
Broken User Authentication 

Excessive Data Exposure 

Lack of Resources & Rate Limiting 

Broken Function Level Authorization 
Mass Assignment 


Security Misconfiguration 


OWASP 


The Open Web Application 
Security Project 


Injection 


Improper Assets Management 


KO D N vu BP UUN rm 


10 Insufficient Logging & Monitoring 


Example API - Pet Store 


= 


pet Everything about your Pets 


/pet/{petId} Find pet by ID 


/pet/{petId} Updates a pet in the store with form data a 
/pet/{petId} Deletes a pet a 


/pet/{petid}/uploadiImage uploads an image 5 


/pet Add a new pet to the store 8 
/pet Update an existing pet = 
/pet/findByStatus Finds Pets by status m 
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"swagger": "2.0", 


Relevant portion | ssas.. 


}, 


"host": "api.petstore.com", 


of the Swagger ||" 


"http" À "https" 


o he 
File DT 
"/pet/ApetId)": { 


"get" : { 
"summary": "Get info for a specific pet", 
"operationId": "showPetById", 
"parameters": [ 
{ 
"name": "petId", 


"in" Q "path" A 
"required": true, 


"description": "The ID of the pet to retrieve", 
"type": "integer" 
} 
1, 
"responses": { 
200751 
"description": "Expected successful response", 
"schema": { 
"Sref": "#/definitions/Pet" 
} 


SNIP... 
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How Does this Help with Security? 


We can leverage the Swagger spec to harden the API endpoints 
in a declarative way 


"paths": { "paths": { 
"/pet/{petId}": { "/pet/{petId}": { 
"get": { "get": { 

"summary": "Get info for a specific pet", "summary": "Get info for a specific pet", 

"operationId": "showPetById", "operationId": "showPetById", 

"parameters": [ "parameters": [ 
"name": "petId", "name": "petId", 
uini: path Yin! “path, 
"required": true, "required": true, 
"description": "The ID of the pet", "description": "The ID of the pet", 
"type": "integer" "type": "integer", 
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Capabilities Coming 
to Oualys API Security 


Static Assessment of Swagger/OpenAPI file 


Get recommended changes to harden your API 
Conformance Scan to check the API's actual © 
behavior 
Test the API endpoints for behavior that violates the 
Swagger file 
Vulnerability Scan to check the API for © U 
security flaws a.. 
Current feature in Oualys Web Application Scanning ° ° ur 
(WAS) a Er 
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Thank You 


Dave Ferguson 
dferguson@qualys.com 


